Penn State Settles Cybersecurity FCA Case With DOJ for $1.25M

Townsend L. Bourne

Email

202-469-4917

Bio and Articles

Nikole Snyder

Email

202-747-3218

Bio and Articles

Find Your Next Job !

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Litigation Paralegal
Greenberg Traurig, LLP

Chief Operating Officer / Business Manager
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Legal Support Specialist
Greenberg Traurig, LLP

Explore More Job Openings

Update – Penn State to Pay Up for Cyber-Related FCA Case

by: Townsend L. Bourne, Nikole Snyder of Sheppard, Mullin, Richter & Hampton LLP - In the Know

Wednesday, October 30, 2024

Print Mail Download info_icon_img

/>i

On October 22, 2024, the Department of Justice (“DOJ”) announced that Pennsylvania State University (“Penn State”) has agreed to pay $1,250,000 to settle a False Claims Act (“FCA”) case brought against the University approximately two years ago. The whistleblower in the case, former chief information officer of the Penn State Applied Research Laboratory, alleged that Penn State failed to comply with cybersecurity requirements in fifteen contracts and/or subcontracts with the Department of Defense (“DoD”) and National Aeronautics and Space Administration (“NASA”) between 2018 and 2023.

Specifically, the lawsuit (as discussed in our prior blog) contended that Penn State failed to provide “adequate security” for Covered Defense Information (“CDI”), as contractually required by the DFARS 252.204-7012 clause. Under this clause, “adequate security” is defined as (at least) implementing all 110 security controls outlined in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Moreover, federal regulations require DoD contractors to conduct a self-assessment of compliance with those 110 controls and report a compliance score (out of 110) in DoD’s Supplier Performance Risk System (“SPRS”). The lawsuit further alleged that Penn State falsified at least 20 documents related to its NIST SP 800-171 self-assessment and other self-attestations and put sensitive information at risk in a commercial cloud-storage service.

The DOJ originally declined to intervene in this lawsuit (as discussed in our prior blog). However, DOJ did opt to participate in the settlement negotiations. The settlement amount likely indicates a “cost of litigation” settlement with a desire to avoid further legal proceedings and expenses. There is no admission of wrongdoing on the part of Penn State. The whistleblower will receive a $250,000 share of the settlement amount.

Importantly for government contractors, FCA claims are on the rise. Principal Deputy Assistant Attorney General Brian M. Boynton (head of the DOJ’s Civil Division) announced that, in 2023 alone, DOJ opened 500 new FCA matters (a record high) and began investigating 712 qui tam lawsuits. Boynton also noted that cybersecurity FCA cases are a priority for 2024.

This DOJ settlement highlights the importance of robust contractor compliance systems and a culture that facilitates self-disclosure, internal investigations, and cooperation with the government. If cybersecurity compliance has not been at the top of your list, it is time (and likely past-time) to move it up.

Sidney Howe also contributed to this article.